-----Original Message-----
i have the virus ( w32.funlove.4099 ) but i can't reboot my comp in dos to
destroy it.
i run windows xp home.
this is causing my comp to crash and run slow.
Andy
.Considering that XP is not based on DOS I can
understand why you can't boot into it.
Get yourself an anti-virus program the definitions for
this virus are over 4 years old.
W32.FunLove.4099 replicates under Windows 95/98/Me and
Windows NT. It infects programs that have .exe, .scr,
and .ocx extensions. What is notable about this virus is
that it uses a new strategy to attack the Windows NT file
security system, and it runs as a service on Windows NT
systems.
Also Known As: Win32.FunLove.4070 [KAV], W32/FunLove.gen
[McAfee], PE_FUNLOVE.4099 [Trend], W32/Flcss [Sophos],
Win32.Funlove.4099 [CA]
Type: Virus
Infection Length: 4,099 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98,
Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX,
Windows 3.x
Virus Definitions (Intelligent Updater) *
November 11, 1999
Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Moderate
Removal: Moderate
Threat Metrics
Damage
Payload Trigger: Infectious File is executed and
flcss.exe is dropped and run as a regular process in
C:\Windows\System.
Payload:
Modifies files: Win32 files with .exe, .scr, or .ocx
extensions.
Degrades performance: Corrupts Windows Applications.
Causes system instability: Causes degradation in system
performance and sometimes crash.
Distribution
Shared drives: Runs as an NT service and can spread on
the local drives.
Target of infection: Win32 Files with .exe, .scr, or .ocx
extensions.
How FunLove works
Files infected with W32.FunLove.4099 insert the Flcss.exe
file into the \Windows\System (Windows 95/98/Me) or
\Winnt\System32 (Windows NT) folder. Whenever the 4,608-
byte Flcss.exe file can be created, the virus attempts to
execute it as a service on computers running Windows NT.
If for any reason the service can not be executed, the
virus creates a thread inside the infected program. This
thread infects local and network drives by searching for
Portable Executable (PE) files with .exe, .scr, or .ocx
extensions. The thread then executes inside the infected
process and the main thread of the program takes control.
In most cases, this does not cause any noticeable delays.
When the virus can execute itself as a service process
under the "FLC" name, other infected programs will try to
insert the Flcss.exe file, but will not create a new
infection thread. W32.FunLove.4099 is the second virus
that runs as a service on Windows NT.
The WNT.RemEx.A (W32.RemoteExplore) virus is very similar
in its functions to W32.FunLove.4099, but
W32.FunLove.4099 can run on both Windows 95/98 and
Windows NT. It is, therefore, considered more successful
than WNT.RemEx.A. When the virus runs as a service, it
can spread on the local drives, even if no one is logged
on. Because of this, the virus can infect files that are
normally not accessible after the logon. For example, the
virus can infect Explorer.exe on a Windows NT system.
On Windows 95/98 computers, infected programs place the
Flcss.exe file in the \System folder and try to execute
it as a regular process. If the process cannot be
executed, the virus tries to execute the infection thread
inside the infected host program.
This virus also attacks the Windows NT file security
system. For the virus to attempt the attack, it needs
administrative rights in Windows NT Server or Windows NT
Workstation during the initial infiltration. Once the
Administrator or someone with the equivalent rights logs
on, W32.FunLove.4099 has the opportunity to modify the
Ntoskrnl.exe file, the Windows NT kernel located in the
\Winnt\System32 folder. The virus modifies only two bytes
in a security API named SeAccessCheck. W32.FunLove.4099
is then able to give full access to all files to all
users, regardless of its original protection, whenever
the computer is booted with the modified kernel. This
means that a Guest--who has the lowest possible rights on
the system--can read and modify all files, including
files that are normally accessible only by the
Administrator. This is a potential problem, because the
virus can spread everywhere, regardless of the actual
access restrictions on the particular computer.
Furthermore, after the attack, no data can be considered
protected from modification by any user.
Unfortunately, the consistency of Ntoskrnl.exe is checked
only once during the startup process. The loader, Ntldr,
checks Ntoskrnl.exe when it loads into physical memory
during startup. If the kernel becomes corrupted, Ntldr is
supposed to stop loading Ntoskrnl.exe and display an
error message, even before a "blue screen" appears. To
avoid this, W32.FunLove.4099 patches Ntldr so that no
error messages are displayed, and Windows NT will boot
successfully, even if its checksum does not match the
original. Since no code checks the consistency of Ntldr
itself, the patched kernel will be loaded without
notifying the user. Because Ntldr is a hidden, system,
and read-only file, W32.FunLove.4099 changes the
attributes of it to "archive" before it attempts to patch
it. The virus does not change the attribute of Ntldr back
to its original value after the patch. FunLove can also
infect local and network drives. It enumerates the mapped
network drives and infects PE files on those computers.
In addition, the Ntoskrnl.exe and Ntldr patch is
performed on the network drives. Whenever a computer with
sufficient rights maps the System drive of a computer
running Windows NT, the virus modifies the kernel and the
loader components over the network.
The Ntoskrnl.exe and Ntldr patches are executed by a
routine picked up from the Bolzano virus. In fact, more
than 50 percent of the virus code shows similarities to
the Bolzano virus. It is very likely that the author of
these two viruses is the same person.
How FunLove locates the mapped drives on a system
FunLove uses the Windows function call WNetEnumResourceA.
Details on this function can be found in the Microsoft
Developer Network documentation.
Can Ntoskrnl.exe be infected across the network, without
Flcss.exe actually being copied to the system?
The worm infects every network drive that it finds
through the call to WNetEnumResourceA. As long as the
drive is writeable, FunLove will modify Ntoskrnl.exe over
the network, even without dropping Flcss.exe onto the
system. FunLove does not actually infect Ntoskrnl.exe,
but it changes the file's security function. Once the
affected computer is restarted, the modified Ntoskrnl.exe
and Ntldr are loaded, and security is compromised.
Files not infected
The virus does not infect files that begin with the
following characters in their names:
aler
amon
avp
avp3
avpm
f-pr
navw
scan
smss
ddhe
dpla
mpla
These are partial file names of antivirus programs, as
well as a few other programs.
Symantec Security Response encourages all users and
administrators to adhere to the following basic
security "best practices":
Turn off and remove unneeded services. By default, many
operating systems install auxiliary services that are not
critical, such as an FTP server, telnet, and a Web
server. These services are avenues of attack. If they are
removed, blended threats have less avenues of attack and
you have fewer services to maintain through patch
updates.
If a blended threat exploits one or more network
services, disable, or block access to, those services
until a patch is applied.
Always keep your patch levels up-to-date, especially on
computers that host public services and are accessible
through the firewall, such as HTTP, FTP, mail, and DNS
services.
Enforce a password policy. Complex passwords make it
difficult to crack password files on compromised
computers. This helps to prevent or limit damage when a
computer is compromised.
Configure your email server to block or remove email that
contains file attachments that are commonly used to
spread viruses, such as .vbs, .bat, .exe, .pif and .scr
files.
Isolate infected computers quickly to prevent further
compromising your organization. Perform a forensic
analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are
expecting them. Also, do not execute software that is
downloaded from the Internet unless it has been scanned
for viruses. Simply visiting a compromised Web site can
cause infection if certain browser vulnerabilities are
not patched.
The procedure for removing the W32.FunLove.4099 virus
depends on your operating system.
Windows 95/98/Me users
If you are running Windows 95/98/Me, Symantec Security
Response has provided a free removal tool. You can obtain
the tool and instructions for its use here.
If you prefer to remove the infection manually, see the
instructions in the sections that follow.
To delete the Flcss.exe file that was placed on the hard
drive by the W32.FunLove.4099 virus:
Run LiveUpdate to make sure that you have the latest
virus definitions.
Run a full system scan. Make sure that you scan all hard
drives and that NAV is set to scan all files. If NAV
detects the virus and prompts you for an action, then
click Quarantine.
Click Start, point to Find, and click Files or Folders.
The Find All Files dialog box appears.
Make sure that Look in is pointing to the drive on which
Windows is installed.
In the Named box, type flcss.exe and then click Find Now.
If the file is found, then right-click the Flcss.exe file
in the results pane. Click Delete, and click Yes to
confirm the deletion.
Close the Find All Files dialog box.
NOTES:
If you continue to be reinfected with the
W32.FunLove.4099 virus, you will have to restart Windows
in Safe Mode to remove the virus. Please follow the steps
for the version of Windows you are running:
Windows 95
Click Start, and click Shut Down. The Shut Down Windows
dialog box appears.
Click Restart the computer, and then click Yes.
When you see the "Starting Windows 95" message, press F8.
Type the number for Safe Mode, and then press Enter.
Run a full system scan. Make sure that you scan all hard
drives and that NAV is set to scan all files.
Repeat steps 3 through 7 in the previous section to find
and delete the Flcss.exe file.
Windows 98
Click Start, and click Shut Down. The Shut Down Windows
dialog box appears.
Click Restart, and then click OK.
Immediately press and hold down the Ctrl key.
Type the number for Safe Mode, and then press Enter.
Run a full system scan. Make sure that you scan all hard
drives and that NAV is set to scan all files.
Repeat steps 3 through 7 in the previous section to find
and delete the Flcss.exe file.
If NAV detected the Flcss.exe file and placed it in the
Quarantine folder, then you can either leave it there,
which prevents it from being run, or delete it. To delete
a file from Quarantine, please follow the steps for the
version of NAV you are running:
NAV 5.0
Start NAV, and click Quarantine.
In the right pane of the Quarantine window, click the
file that you want to delete and then click Delete Item.
Close the Quarantine window.
NAV 2000
Start NAV, and click Reports.
Double-click "View and manage the items in Quarantine."
In the right pane of the Quarantine window, click the
file that you want to delete and then click Delete Item.
Close the Quarantine window.
This virus can infect .exe files. If it infects Windows
program files, such as Explorer.exe, Windows may no
longer run. If this happens, then you must replace
the .exe file. Please see your Windows documentation for
information on how to do this.
Windows NT users
If you are using Windows NT, Symantec Security Response
has provided a free removal tool. You can obtain the tool
and instructions for its use here.
If the computer becomes reinfected
There have been several cases reported of computers being
reinfected after following the previous procedure. In
that case, you must remove the virus using the Emergency
Boot Disk. Follow these steps to do this:
Click Start, click Shut Down. Click Shut Down, and then
click OK.
Turn off the computer when prompted. You must turn off
the computer to clear the memory; do not simply press the
reset button. Wait at least 30 seconds.
Insert the Emergency Boot Disk into drive A, and then
turn on the computer.
Press any key when prompted, and then follow the on-
screen prompts for the Emergency Boot Disk that you are
using:
Norton System Works Emergency Boot Disk.
Select Norton AntiVirus.
Look for the following line of text at bottom of the
screen:
navdx c:\ m+ /b+ /repair /cfg:a:\
Replace that line with the following one, and then press
Enter:
navdx c: /doallfiles /repair
Allow the process to finish, remove the disk, and then
restart the computer.
Norton AntiVirus Emergency Boot Disk.
Press Ctrl+C.
Type the following, and then press Enter:
navdx c: /doallfiles /repair
Allow the process to finish, remove the disk, and then
restart the computer.
NOTE: Several cases have been reported in which
reinfection continued to occur because the Explorer.exe
and Flcss.exe files had been added to the NAV exclusions
list. To check for this, follow these steps:
Start NAV, and click Options.
Click Exclusions.
In the list, look for files such as Explorer.exe and
Flcss.exe. Any files in this list will not be scanned by
NAV.
Select these files if you find them, and then click
Remove. (Do not remove the *.vi? entry.)
Click OK, and then exit NAV.
Additional information:
Additional repair information
In most cases, Norton AntiVirus (NAV) can repair files
that are infected with W32.FunLove.4099:
Virus definitions dated earlier than October 10, 2000,
did this by changing the 4099 bytes of viral code to
zeros. The repaired file will therefore be 4099 bytes
longer than it was before it was infected.
Virus definitions dated October 10, 2000, or later can
inoculate files that are infected with W32.FunLove.4099,
preventing them from being reinfected. Before FunLove
attempts to infect a file, it first checks to see whether
the file is already infected with FunLove. (This is a
common procedure used by many viruses. The virus uses an
algorithm to determine whether the file is infected.) To
do this, the file size is divided by 256. If the
remainder is 3, the virus assumes the file has already
been infected, and it does not reinfect the file.
When FunLove is detected with definitions dated October
10, 2000, or later, the viral code is removed from the
file. To ensure that the file cannot be reinfected, NAV
may then add extra bytes to the end of the file so that
if it is again accessed by FunLove, then the virus will
assume that the file has already been infected, and it
will not reinfect it.
DEC Alpha computers
W32.Funlove.4099 will not be able to infect files on an
Alpha computer, unless those files are accessible by a
Wintel computer, and that computer places infected files
on the Alpha computer. To clean infected files on the
Alpha platform, isolate the computer from the network and
then run an on-demand scan.
Revision History:
October 30, 2003: Downgraded from Category 3 to Category
2 due to decrease in submissions.
April 20, 2001. Downgraded from Category 4 to Category 3
due to decrease in submissions.
Write
